Materials:Working complete PCBlank DisketteStudent Diskette, "New Boot A Ver 2.0+"Student CD-ROM, "Room 6359"Objectives:The student will become familiar with how to use DOS DEBUG to: clear the DEBUG workspace RAM with zeros,load a raw sector into RAM,display RAM contents on screen,Competency:The student will how to use DEBUG's basic commands for the purposes of data recovery including how to clear the DEBUG RAM workspace with zeros, load a raw sector into RAM and how to display its contents on screen.

DEBUG.EXE

This machine language programmer's tool has been included with all versions of DOS from the beginning up to the WIN9x family and the WINNT family including Windows XP. Because the 32-bit Windows operating systems are protected mode operating systems many of the more powerful and hence useful capabilities of DEBUG will be blocked if they are attempted from DEBUG running within a DOS box. As such all exercises with DEBUG must be performed from a DOS only boot up (i.e. a DOS bootable diskette or CD-ROM).

Procedures

Boot to the Room 6359 student CD-ROM. Cancel the virus scan if it starts with [Ctrl]+[Break]. From the Q:\BOOTNAV prompt change to the K: RAM Drive which the bootable CD-ROM automatically creates. Insert a boot diskette into the floppy drive which has been remapped by the bootable CD-ROM to be physical diskette drive B: Now start DEBUG:

K:\>debug
-_

At the DEBUG "dash prompt" enter the command "d 100 1ff" which tells DEBUG to dump or display the contents of RAM from offset 100 to offset 1FFh on screen. Note that the program DEBUG itself occupies the first 256 bytes of RAM from offset 0 to offset FFh and these are offlimits. The workspace begins at offset 100h and is roughly 32KB in size. Going beyond the end of the workspace, one runs into DEBUG again and corrupts it forcing a reboot. Corrupting the area below offset 100h can also lock up the machine and force a reboot:

The offset of the first byte of each row is displayed at the far left of the output, the actual bytes values at each location are shown in hexadecimal across the rows and the ASCII code equivalents are shown at the far right. If there is no text ASCII code equivalent of the value DEBUG displays a period instead. Therefore it is important to know the ASCII code for a period itself since at the right it could be mistaken for a byte that has no ASCII equivalent when in fact it is a period. The ASCII code for a period is "2Eh" A byte holding this value is highlighted and its ASCII equivalent to the far right to clarify:

DEBUG is displaying the random data that was already present in the RAM workspace before it was launched. This area can be filled with zeros using the FILL command like this:

-f 100 2ff 0
-_

The FILL command says "F(ill from offset) 100 (to offset) 2FF (with) 0". The reason the area from 100 to 2FF is filled with zeros (as opposed to just up to 1FF is because a physical sector from the floppy is 512 bytes or 200h bytes which will span from offset 100 up to offset 2FFh. Now display the first 256 bytes of this area again with the "d 100 1ff" command and it is plain that the area has in fact been filled with zeros:

Now that the RAM workspace has been cleared, a raw sector will be read from the floppy into it. This requires the LOAD command. The load command depends on DOS being able to read the drive. If DOS cannot read the drive then an error will occur. Under many data recovery scenarios, DOS cannot read the drive because the DOS Boot Record has been damaged. In that case the raw BIOS "read sector" command will be used. But first the DEBUG LOAD command "L 100 1 0 1" which means: "L(oad into offset) 100 (from drive number) 1 (logical sector number) 0 (a total of) 1 (sectors)" where the drives are numbered A: = 0, B: = 1, C: = 2 and so on. The first logical sector numbered zero of the drive is the DBR of that drive, so in this case the boot sector of the B: drive is being requested. As you press [Enter] for the command watch the diskette drive activity light:

-L 100 1 0 1
-_

Having loaded the boot sector of the diskette into RAM offset 100h, display it on screen now:

This is a typical floppy DBR. In later exercises, the entire Drive Parameter Block at the top will be analyzed, but for now note the driver signature "MSWIN4.1" indicating that Windows 98 formatted this diskette. Now display the bottom 256 bytes of it with the "d 200 2ff" command:

Note the typical error messages displayed by a nonbootable floppy "Invalid system disk..." embedded within this boot sector code. Note the names of the files that the boot strap loader program embedded above the messages will try to find and load into RAM are listed near the bottom "IO SYS and MSDOS SYS" and the last two bytes of the sector are the BIOS standard boot signature, indicating that this is a "good" boot sector, of "55 AA".

In the next tutorial, the student will learn how to save the sector to a file and how to restore it to a diskette in which the sector has been damaged.